Differences From Artifact [73dfe01bb8]:

• File Dockerfile — part of check-in [77d603c6a1] at 2022-08-06 04:24:33 on branch trunk — Replaced Jan Nijtman's Dockerfile with a new one that does a 2-stage build. The first stage runs atop Alpine Linux instead of Fedora, reducing the initial build from ~635 MiB to about 16. Rather than stop there, I then made it multi-stage, copying two key static binaries — Fossil and Busybox — over from the first stage into a fresh-from-scratch container and set it up to run the former jailed away from the latter. The result is under 9 MiB, and it's as secure as one can hope, given that it starts up in "PUBLIC" mode. The new build doesn't have all the extra features turned on that the old one did, but it seems right to build the container with Fossil in its default configuration. If you want something else, copy the Dockerfile, hack it, and make it do what you want instead. Having done all this, I replaced the one-off Dockerfile inline in section 5.0 of the build doc with a reference to this new Dockerfile and rewrote the section in terms of the new capabilities. Finally, this lets us brag on how small the container can be, as compared to the Gitlab-CE container. Before, we were comparing a standalone binary to the container, which wan't entirely fair. (The desire to produce such a container was the spark that kicked this project off.) (user: wyoung size: 1870)

To Artifact [6544dd045b]:

• File Dockerfile — part of check-in [289c9b501c] at 2022-08-06 19:56:26 on branch trunk — Did away with the temporary src.tar.gz file in the new Docker container by streaming the output of wget straight into tar's stdin. This cuts the build time by about five seconds, presumably due to the saving from unnecessary file I/O. Also replaced the explicit "cd src" afterward with an out-of-tree build configuration, since it doesn't matter if we clutter the first stage's /tmp dir. (user: wyoung size: 1830)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# STAGE 1: Build a static Fossil binary atop Alpine Linux

# Avoid the temptation to swap the wget call below out for an ADD URL
# directive.  The URL is fixed for a given release tag, which triggers
# Docker's caching behavior, causing it to reuse that version as long
# as it remains in the cache.  We prefer to rely on the caching of the
# server instance on fossil-scm.org, which will keep these trunk
# tarballs around until the next trunk commit.

FROM alpine:latest AS builder
WORKDIR /tmp
RUN apk update                                               \
     && apk upgrade --no-cache                               \
     && apk add --no-cache                                   \
         busybox-static gcc make                             \
         musl-dev                                            \
         openssl-dev openssl-libs-static                     \
         zlib-dev zlib-static                                \
     && wget https://fossil-scm.org/home/tarball/src.tar.gz  \
     && tar -xf src.tar.gz                                   \
     && cd src                                               \
     && ./configure --static CFLAGS='-Os -s'                 \
     && make -j

# STAGE 2: Pare that back to the bare essentials.

FROM scratch
ENV JAIL=/jail
WORKDIR ${JAIL}
COPY --from=builder /tmp/src/fossil ${JAIL}/bin/
COPY --from=builder /bin/busybox.static /bin/busybox
RUN [ "/bin/busybox", "--install", "/bin" ]
RUN mkdir -m 700 dev                   \
    && mknod -m 600 dev/null    c 1 3  \
    && mknod -m 600 dev/urandom c 1 9

# Now we can run the stripped-down environment in a chroot jail, while

|
|
|
|
|
|
|
|
<
<
|







|

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19


20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# STAGE 1: Build a static Fossil binary atop Alpine Linux

# Avoid the temptation to swap the wget call below out for an ADD URL
# directive.  The URL is fixed for a given release tag, which triggers
# Docker's caching behavior, causing it to reuse that version as long
# as it remains in the cache.  We prefer to rely on the caching of the
# server instance on fossil-scm.org, which will keep these trunk
# tarballs around until the next trunk commit.

FROM alpine:latest AS builder
WORKDIR /tmp
RUN apk update                                                         \
     && apk upgrade --no-cache                                         \
     && apk add --no-cache                                             \
         busybox-static gcc make                                       \
         musl-dev                                                      \
         openssl-dev openssl-libs-static                               \
         zlib-dev zlib-static                                          \
     && wget -O - https://fossil-scm.org/home/tarball/src | tar -xz    \


     && src/configure --static CFLAGS='-Os -s'                         \
     && make -j

# STAGE 2: Pare that back to the bare essentials.

FROM scratch
ENV JAIL=/jail
WORKDIR ${JAIL}
COPY --from=builder /tmp/fossil ${JAIL}/bin/
COPY --from=builder /bin/busybox.static /bin/busybox
RUN [ "/bin/busybox", "--install", "/bin" ]
RUN mkdir -m 700 dev                   \
    && mknod -m 600 dev/null    c 1 3  \
    && mknod -m 600 dev/urandom c 1 9

# Now we can run the stripped-down environment in a chroot jail, while